Microsoft pays out $28K to IE bug hunters in its first-ever bounty program
Security expert calls it a success -- enough bugs to fill one or two IE updates -- even though the dollar amount was about the same as Google's for the last iteration of Chrome
Computerworld - Microsoft today announced that it had paid more than $28,000 in rewards to researchers for its first bug bounty program, a one-month special it ran during the summer for the preview version of Internet Explorer 11 (IE11).
While Microsoft trumpeted the amount, it was actually only $1,000 more than Google paid outside researchers last week for reporting flaws in the latest version of the search company's Chrome browser, and about 10% of what Google has forked over so far this year to security researchers.
"The amount of money really only matters if their offer was way off base from other programs," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage. "They [only] have to pay enough to entice people to report the bugs. On the other hand, those people who are more prone to sell their vulnerabilities on the black market are still going to do so."
Microsoft kicked off its IE11 Preview Bug Bounty program June 26, when it said it would pay researchers up to $11,000 for each IE11 vulnerability they found and reported through July 26.
At the launch of the bounty -- the first Microsoft initiative that paid researchers for each unknown vulnerability they reported -- Katie Moussouris, a senior security strategist lead with the company, said the IE11 program was designed to get researchers to file vulnerabilities during the browser's beta test run, a time when third-party bug brokers have declined to purchase flaws.
According to a page that spelled out the IE11 bug bounty results, Microsoft paid six researchers for reporting 15 bugs in the browser.
James Forshaw of Context Security walked off with $9,400 for submitting four IE11 flaws and pointing out some design vulnerabilities; Jose Antonio Vazquez Gonzalez of Yenteasy Security Research earned $5,500 for five bugs; Google engineers Ivan Fratric and Fermin J. Serna were awarded $1,100 and $500 for one vulnerability each; independent researcher Masato Kinugawa got $2,200 for a pair of bugs; and Peter Vreugdenhil of Exodus Intelligence reported one vulnerability.
Although Microsoft said that Vreugdenhil requested that his payment be withheld from publication, some quick arithmetic using Microsoft's claim of over $28,000 indicated he was paid approximately $10,000.
Both Forshaw and Vreugdenhil are former winners at the Pwn2Own hacking contest, one of each year's highest-profile challenges. Forshaw received $20,000 for hacking Java in March at the 2013 Pwn2Own, while Vreugdenhil was a $10,000 winner at the 2010 edition.
Fratric is also well known: In 2012, before he joined Google, he won second place and $50,000 in Microsoft's BlueHat Prize, a contest the Redmond, Wash. company launched to acquire new technologies to block return-oriented programming, or ROP, a technique often used to sidestep DEP, or data execution prevention, one of Windows' main anti-exploit technologies.
Storms rated the IE11 program a success, if only because, as Microsoft's first true bug bounty, it was a milestone. But he also characterized the quantity of reported vulnerabilities as "a healthy number" in an interview via instant message today.
"If you consider the number of CVEs for IE patched on any given Patch Tuesday, this lot probably represents one or two months of IE bulletins," Storm said.
Microsoft will release the final of IE11 for Windows 8 and Windows RT on Oct. 17, when it offers the Windows 8.1 update to current users. IE11 on the more popular Windows 7 is to ship some time this fall.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts